Pulse Secure is currently testing LDAP authentication with the changes described in ADV190023
and will update the KB if we find any issues in testing, currently we have not found any issues.
LdapEnforceChannelBinding Path for Active Directory Domain Services (AD DS) domain controllers:
Path for Active Directory Lightweight Directory Services (AD LDS) servers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters
DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.
When the domain controllers have enabled or enforced "LdapEnforceChannelBinding" and when we use these domain controllers on the Pulse Secure appliance,then the communication happens only through port 636 and not on 389.
That is, Under the LDAP server> LDAP Server Type > even though you use "Active Directory" or "Generic",
i) LDAPs (636) should be used.
ii) Unencrypted will not work as it uses 389.
NOTE:If Authentication server is Active directory, we would like to inform that still testing is going on and will update the KB if we find any known issues.